editor's blog
Subscribe Now

Intentionally Fuzzy

All software has bugs; every system has some kind of vulnerability. And the canonical way of dealing with them is to fix the bugs or tighten the code to eliminate system weaknesses. And then we patch our systems, as anyone who has been late to the airport and has shut down their computer in a last-ditch effort to get out the door, only to have the computer say, “Updating 1 of 32… Please do not power down or unplug your computer,” can attest. (Because, when Windows decides it’s time to update, well, there’s not much in this universe that can out-prioritize that.)

Editorials aside, each of those patches required someone to find a problem, then figure out how to fix the problem, then actually fix it, and, finally, test to prove that the fix doesn’t do some other harm. And that all takes time. If the vulnerability is severe, then ne’er-do-wells could be out busily enjoying unfettered access to somewhere they’re not supposed to be while the hole is being plugged.

So, when it comes to security for important infrastructure like utilities and other industrial sites, you can’t wait for the fix. In fact, a fix might not even be forthcoming. Instead, you figure out what malevolent traffic might look like, and you block it. You’re not fixing the broken lock on the door to keep the burglar out; you’re simply putting a dog in front of the door to filter out the burglars.

This is the situation described to me by Wurldtech’s Greg Speakman and Nate Kube shortly after they announced that Siemens’s CERT lab had been certified on Wurldtech’s Achilles certification testing. Achilles is a test facility that includes “fuzzers” – tests that present equipment with traffic that is almost correct, but is mutated here or there. The idea is to see if such “nearly good” traffic can get in and cause an observable change in behavior (which might be benign or might have no deleterious effect unless sustained over time) or, worse yet, cause a system failure. They automatically create tests based on protocol standards and run those against their clients’ systems.

When issues are found, the signatures of the offending traffic enter their database and are used to strengthen the traffic filters. They claim to have found over 350 “0-days” for their clients. The oddly-named “0-day” refers to any vulnerability found by outsiders before the equipment company itself knows about it – they’ve had 0 days to respond to it.

That characterization makes sense for systems already out on the market, but apparently it still applies if a company contracts someone like Wurldtech to help with system validation before shipping the systems. The fact that the issue was found outside the company – even if at the company’s request, before any systems are shipped into the field – seems to qualify it as a 0-day (even though, if the equipment maker bought out the certification house or did similar testing in-house, then the same discovery would no longer be a 0-day).

You can find more on the recent Siemens certification in their release.

Leave a Reply

featured blogs
Oct 27, 2021
ASIC hardware verification is a complex process; explore key challenges and bug hunting, debug, and SoC verification solutions to satisfy sign-off requirements. The post The Quest for Bugs: The Key Challenges appeared first on From Silicon To Software....
Oct 27, 2021
Cadence was recently ranked #7 on Newsweek's Most Loved Workplaces list for 2021 and #17 on Fortune's World's Best Workplaces list. Cadence received top recognition among thousands of other companies... [[ Click on the title to access the full blog on the Cadence Community s...
Oct 20, 2021
I've seen a lot of things in my time, but I don't think I was ready to see a robot that can walk, fly, ride a skateboard, and balance on a slackline....
Oct 4, 2021
The latest version of Intel® Quartus® Prime software version 21.3 has been released. It introduces many new intuitive features and improvements that make it easier to design with Intel® FPGAs, including the new Intel® Agilex'„¢ FPGAs. These new features and improvements...

featured video

What are V³Link SerDes?

Sponsored by Texas Instruments

V³Link ICs are ultra-low latency SerDes that aggregate video, clock, control and GPIO data into a single-wire bidirectional bridge between industry-standard interfaces. Vision-based designs can use V³Link devices to achieve higher resolution, extend cable reach up to 15 meters and reduce system size, weight and power. Learn about the basics of V³Link technology and explore typical applications for V³Link in this training video.

Click here for more information

featured paper

Voltage Balancing Techniques for Series Supercapacitor Connections

Sponsored by Maxim Integrated (now part of Analog Devices)

For applications where supercapacitors need to be charged to more than 2.5V or 2.7V, engineers are forced to connect multiple supercapacitors in a series. This application note reviews the voltage balancing techniques in series supercapacitor connections for Maxim’s MAX38886/MAX38888/MAX38889 backup regulators.

Click to read more

featured chalk talk

Solutions for Heterogeneous Multicore

Sponsored by Siemens Digital Industries Software

Multicore processing is more popular than ever before but how do we take advantage of this new kind of processing? In this episode of Chalk Talk, Jeff Hancock from Siemens and Amelia Dalton investigate the challenges inherent in multicore processing, the benefits of hypervisors and multicore frameworks, and what you need to consider when choosing your next multicore processing solution.

Click here for more information about Multicore Enablement: Enabling today’s most advanced MPSoC systems